Implement and Manage Authorization Mechanisms
In this part of this tutorial, we’ll take a look at implement and manage authorization mechanisms to help you understand the different aspects of authorization Mechanisms. Access control model is a framework that directs how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model. One of the most important aspects of cyber security is authorization Mechanisms. There are three main types of Manage Authorization Mechanisms:
- Mandatory Access Control (MAC)
- Discretionary Access Control (DAC)
- Role Based Access Control (RBAC)
Mandatory Access Control (MAC)
It is an access policy determined by the system, rather than by the owner. MAC systems are usually focused on preserving the confidentiality of data. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. If users are not specifically granted access to data, the system denies them access to the associated data. Due to this, the MAC model is more secure than the DAC model. Organizations use MAC in multilevel systems that process highly sensitive data, such as classified government and military information. Two important concepts in MAC are:
- Sensitivity labels: In a MAC-based system, all subjects and objects must have assigned labels. A subject’s sensitivity label specifies its level of trust. Also an object’s sensitivity label specifies the level of trust required for access.
- Data import and export: controlling the import of information from other systems and the export to other systems.
Discretionary Access Control (DAC)
This system allows the owner, creator, or data custodian of an object to control and define access to the specified object.
Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities.
A DAC model is implemented using Access Control Lists (ACLs) on objects. Each ACL defines the type of access granted or denied to subjects. Owners can alter the ACLs on their objects. Each owner decides who’s allowed access to the file and what privileges they have.
Two important concepts in DAC are:
1- File and data ownership: Every object in a system must have an owner.
2- Access rights and permissions: The controls that an owner can assign to individual users or groups for specific resources. Permissions are in three basic types of access:
- Read: The subject (user) can read contents of a file or list contents of a directory.
- Write: The subject (user) can change the contents of a file or directory (including add, rename, create, and delete).
- Execute: If the file is a program, the subject (user) can run the program.
Role Based Access Control (RBAC)
It determines how information is accessed on a system based on the role of the subject (like a user, usually). Systems that employ role-based or task-based access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks. Of course, role-based access control is usually implemented using groups.
In fact, we can say that RBAC is a method for managing user access controls.
A rule-based access control system uses a series of predefined rules, restrictions, and filters for accessing objects. The rules are based on “if/then” statements.
RBAC is a type of non-discretionary access control because users do not have discretion regarding the groups of objects they are allowed to access and are unable to transfer objects to other subjects.
Users may belong to one or many groups (either acquiring cumulative permissions or limited to the most restrictive set of permissions for all assigned groups); also a group may contain only a single individual (corresponding to a specific organizational role assigned to one person).
Access rights and permissions for objects are assigned to groups, rather than users.
One common example of a rule-BAC model is a firewall. Firewalls include a set of rules or filters within an ACL. This ACL defined by an administrator.
The firewall examines all the traffic going through it and only allows traffic that meets one of the rules. Firewalls have a finally rule referred to as the implicit deny rule denying all other traffic.
Finally, there is an advanced implementation of a Rule-BAC model that called Attribute Based Access Control (ABAC). ABAC models use policies that include multiple attributes for rules.
In an ABAC-based system, the ability for a subject to access an object determines based on one or more attributes about the subject (such as the subject’s position title, or project assignment), as well as attributes about the object itself (such as its name, or owner).